// Copyright 2024 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package tls12

import (
	
	
	
	
)

// PRF implements the TLS 1.2 pseudo-random function, as defined in RFC 5246,
// Section 5 and allowed by SP 800-135, Revision 1, Section 4.2.2.
func [ fips140.Hash]( func() ,  []byte,  string,  []byte,  int) []byte {
	 := make([]byte, len()+len())
	copy(, )
	copy([len():], )

	 := make([]byte, )
	pHash(, , , )
	return 
}

// pHash implements the P_hash function, as defined in RFC 5246, Section 5.
func [ fips140.Hash]( func() , , ,  []byte) {
	 := hmac.New(, )
	.Write()
	 := .Sum(nil)

	for len() > 0 {
		.Reset()
		.Write()
		.Write()
		 := .Sum(nil)
		 := copy(, )
		 = [:]

		.Reset()
		.Write()
		 = .Sum(nil)
	}
}

const masterSecretLength = 48
const extendedMasterSecretLabel = "extended master secret"

// MasterSecret implements the TLS 1.2 extended master secret derivation, as
// defined in RFC 7627 and allowed by SP 800-135, Revision 1, Section 4.2.2.
func [ fips140.Hash]( func() , ,  []byte) []byte {
	// "The TLS 1.2 KDF is an approved KDF when the following conditions are
	// satisfied: [...] (3) P_HASH uses either SHA-256, SHA-384 or SHA-512."
	 := ()
	switch any().(type) {
	case *sha256.Digest:
		if .Size() != 32 {
			fips140.RecordNonApproved()
		}
	case *sha512.Digest:
		if .Size() != 46 && .Size() != 64 {
			fips140.RecordNonApproved()
		}
	default:
		fips140.RecordNonApproved()
	}

	return PRF(, , extendedMasterSecretLabel, , masterSecretLength)
}